I will be greatful if anyone can please help me to understand the below which is taken from https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/high-availability/session-owner.html
1. in that case the secondary firewall acts as a 'dumb' gateway: it will send and receive packets but all decisions are made on the active-primary. If the primary were to fail it will start inspecting again
2. Because the 'other' (primary) firewall was doing all the inspection, when there is a failover the secondary firewall will be able to resume the sessions because it is aware of the session table, but it cannot resume scanning as it is not aware of the scanning process while the session is being scanned remotely and cannot be 'started' mid-session
not silly questions, important considerations when weighing A/A vs A/P
Thanks for this topic and reply. It now makes sense that in a failover event, the single active firewall will not create new sessions on the dead firewalls NAT tables bound by Group ID. This is because once it hands them back, L7 filtering would be unavailable on any sessions created during the failover event.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!